question: Not redirected back to the app from keycloak

[theodotos]

Not redirected back to the app from keycloak

We already have a working keycloak setup.

• keycloak.example.com is the keycloak setup
• app.example.org is the application where authcrunch serves as a reverse proxy

The problem is when we are redirected to keycloak.example.com we are not prompted for login and we are not redirected back to app.example.org. Instead we get a json response from Keycloak:

realm:	"master"
public_key:	"Some Public Key here"
token-service:	"https://keycloak.example.com/auth/realms/master/protocol/openid-connect"
account-service:	"https://keycloak.example.com/auth/realms/master/account"
tokens-not-before:	0

The configuration is:

Configuration

{
        auto_https off
        debug

        order authenticate before respond
        order authorize before basicauth

        security {
                oauth identity provider keycloak {
                        driver generic
                        realm keycloak
                        client_id client-test
                        client_secret SecretFor_client-test
                        scopes openid email profile
                        metadata_url https://keycloak.example.com/auth/realms/master/.well-known/openid-configuration
                }

                authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify PassphraseForPrivateKey
                        enable identity provider keycloak
                        cookie domain example.org
                        ui {
                                links {
                                        "My Website" https://app.example.org icon "las la star"
                                        "My Identity" "/whoami" icon "las la user"
                                }
                        }
                        transform user {
                                match origin keycloak
                                action add role users
                        }
                }

                authorization policy mypolicy {
                        set auth url https://keycloak.example.com/auth/realms/master
                        allow roles admin users
                        crypto key verify PassphraseForPrivateKey
                }
        }
}

app.example.org:443 {

        root * /srv/app.example.org/app/webroot
        php_fastcgi localhost:3000 {
                index index.php
                header_up Host {http.request.host}
                header_up X-Forwarded-For {http.request.remote}
                header_up X-Forwarded-Proto {http.request.scheme}
        }
        file_server

        reverse_proxy /ws/* websocket_pool {
                header_up Connection "upgrade"
                header_up Upgrade {http.request.header.Upgrade}
        }


        @rewritePath {
                path_regexp path ^/(.*)$
        }
        rewrite @rewritePath /index.php?__path__=/{http.regexp.path.1}

        tls /etc/letsencrypt/live/app.example.org/fullchain.pem /etc/letsencrypt/live/app.example.org/privkey.pem
        authorize with mypolicy
        authenticate with myportal

        respond "app is running"

        log {
                output file /srv/authcrunch/log/access.log
                level DEBUG
                format console
        }

        @dotFiles {
                path */.*
                not path /.well-known/*
        }
}

Version Information

I use authcrunch v1.0.11 on Linux AMD64.

Here's a list of modules:

# ./bin/authcrunch list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.28
http.handlers.authenticator v1.1.28
security v1.1.28
security.secrets.aws_secrets_manager v1.0.1

Expected behavior

I expect to be prompted for login on nextcloud and be redirected back after the successful login.

I read this guide:

https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0011-keycloak

and based my configuration on this example:

https://github.com/greenpau/caddy-auth-docs/blob/main/assets/conf/oauth/keycloak/Caddyfile

Any idea what I am doing wrong?

[greenpau]

@theodotos , I suggest checking the redirect url in keycloak server.

[greenpau]

@theodotos , also, I think you misunderstand how plugins work.

the following is invalid

authorize with mypolicy
authenticate with myportal

please see the issue pinned to the “Issues”. It has working config, where route directive is being used.

`

[theodotos]

Yes it seems I have misunderstood some things. I removed the authenticate with myportal line and add the correct URL:

--- etc/Caddyfile-mypolicy      2024-11-11 14:34:53.146784597 +0000
+++ etc/Caddyfile-mypolicy-v2   2024-11-11 14:35:09.418727879 +0000
@@ -33,7 +33,7 @@
                }
 
                authorization policy mypolicy {
-                       set auth url https://login-test.collabora.com/auth/realms/master
+                       set auth url https://login-test.collabora.com/auth
                        allow roles admin collaboran
                        crypto key verify PassphraseForPrivateKey
                }
@@ -63,7 +63,6 @@
        rewrite @rewritePath /index.php?__path__=/{http.regexp.path.1}
 
         tls /etc/letsencrypt/live/kati.collaboradmins.com/fullchain.pem /etc/letsencrypt/live/kati.collaboradmins.com/privkey.pem
-       authenticate with myportal
        authorize with mypolicy
 
        respond "phabricator is running"

Now i get redirected to the auth site of keycloak but I am not redirected back after successful authentication.

[em-]

Thank you @greenpau, we managed to get it working with a config similar to the one I posted on #368 (comment)

We only had to tweak the Keycloak config to drop the key using the RSA-OAEP algorithm since it is currently not in the list of valid algorithms (RSA-OAEP-256 is already there, RSA-OAEP is not). Would you like us to open a new issue on https://github.com/greenpau/go-authcrunch/ to add it to the list?